Category Archives: Security

Security

Will Facebook CSO Face Jail Time?

Leave a comment

Russell Wasendorf allegedly stole over $215 million from his customers and falsified bank statements to cover it up. Bernie Madoff was arrested for losing $50 billion while running ponzi schemes. Jeffrey Skilling was initially sentenced to 24 years in prison and fined $45 million for recording projected future profits as actual profits.

Is the Facebook CSO becoming the new Enron CFO story?

After all, the CSO in question is known for declaring projected future plans as actual security features. When he joined Yahoo to take his first ever job as CSO (also breached catastrophically during his short time there) he pre-announced end-to-end encryption was coming. He never delivered and instead quietly quit to take another shot at being CSO…at Facebook.

It’s serious food for thought when reading about the historic breaches of Facebook that began around the time he joined and continued for years under his watch. It’s been said he’s only giving lip service to users’ best interests (given his failed Yahoo delivery) and more recently it’s been said adversaries to the US targeted him as a “coin operated” asset (given his public hostility to US government).

At this point it will be interesting to see if standing idly for so long and allowing mounting harms to customers, personally profiting from damages done, will lead to any kind of penalty akin to Skilling’s.

Today, given what we know… I think we understand that we need to take a broader view of our responsibility,” [CEO] said.

“That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well.”

[…]

Facebook has now blocked the facility.

“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” Mr Zuckerberg said.

The last several years represent the tenure of the CSO in question. “Today, given what we know?” That responsibility was no secret before he joined, and it should not have taken so many years to come to the realization that a CSO is meant to stop harm instead of profiting from it. So the question becomes what is next for the man whose first and only two attempts at being a CSO have ended in the largest breaches in history.

Energy, Security

Cyclists Defeat Cars in Urban Speed Challenge

1 Comment

This should be obvious to anyone who rides a bicycle in a city. Alas we also have studies to prove it true, year after year:

Since the event began in 2009, one mode has ruled supreme in terms of speed.

“People on bikes have beaten their car-driving counterparts more than two-thirds of the time,” Jane says. “A lot of people are surprised by that, because they don’t realize how fast and convenient cycling for transportation can be.”

This is confirmed by a 2017 study from the German Federal Environmental Agency, which determined that–in an urban setting–bikes are faster than cars for trips up to five kilometres. As it turns out, drivers vastly underestimate time spent sitting in traffic, searching for parking, and walking to their final destination.

Two-thirds is a crushing defeat for cars, and that’s simply measuring performance. When you add in the health and environment benefits it begs the question what people really value when riding in a car in a city.

Security

Cyberspace Intervention Law and Evolving Views

Leave a comment

I’m putting two opinion pieces by the esteemed Michael Adams together and getting an odd result.

While reflecting on “detailed analysis that is being conducted at USCYBERCOM, across agencies and at events like the Cyber Command legal conference”, Michael opines that the US has taken no position on whether it would come to the aid of a victim, or side with an aggressor, when confronted with cyberattack.

The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual.

Meanwhile, an earlier opine tells us taking action with fire-and-forget remote missiles hitting a far away target while not trying to “use the law as a shield”…deserves something akin to his respect:

…from the perspective of a lawyer who has advised the highest levels of military and civilian officials on literally thousands of military operations, there is something to be said for a client that refuses to use the law as a shield for inaction and that willingly acknowledges that other factors weighed most heavily on his or her decisions.

Maybe I’m reading too much into the theme across work here, but I get a sense if the aggressor is far enough removed from accountability, let alone retaliation, then long-distance attack wouldn’t bring an urge to bother with any shields including the law. This surely is the attraction to “swivel-chair” aggressors of using missiles and keyboards. Perception of their inaction in a lawyer’s eye is erased simply by pushing a button even when a chance of success is as remote as their targets.

History, Security

Origins of “Information Security”

Leave a comment

I’ve promised for a while, years really, to write-up the etymology of the word “hacker”. This always is a popular topic among the information security crowd. Although I regularly talk about it at conferences and put it in my presentations, the written form has yet to materialize.

Suddenly I instead feel compelled to write about a claim to the origins of the phrase “information security”. Credit goes to the book “Code Girls” by Liza Mundy, a bizarrely inaccurate retelling of cryptography history. While I don’t mind people throwing about theories of why hacker came to be a term, for some reason Mundy’s claim about “information security” shoves me right to the keyboard; per her page 20 Introduction to the topic:

[The 1940s] were the formative days of what is now called “information security,” when countries were scrambling to develop secure communications at a time when technology was offering new ways to encipher and conceal. As in other nascent fields, like aeronautics, women were able to break in largely because the field of code breaking barely existed. It was not yet prestigious or known. There had not yet been put in place elaborate systems of regulating and credentialing–professional associations, graduate degrees, licenses, clubs, learned societies, accreditation–the kinds of barriers long used in other fields, like law and medicine, to keep women out.

First of all, the reader now expects to see evidence of these “elaborate systems of regulating and credentialing” with regard to information security. I suspect Mundy didn’t bother to check the industry because there are none. Quite the opposite, the CISSP is regularly bashed as entry-level and insufficient proof of information security qualification, and experts regularly boast of having orthogonal degrees or none at all.

Second, she’s contradicting her own narrative. Only a page earlier she’s holding the field of code breaking as “storied British operation that employed ‘debs and dons’: brilliant Oxford and Cambridge mathematicians and linguists–mostly men, but also some women…”. So which is it? Information security was not prestigious and known, or it was a “storied” field of the highest caliber schools?

As an aside I also find it frustrating this book about recognizing women of code breaking calls Bletchley “mostly men, but also some women”. The British operation was resistant at first to women and the same dynamics as in the US shifted the balance, as the site itself will tell you:

The Bletchley Park codebreaking operation during World War 2 was made up of nearly 10,000 people (about 75% of this number was women). However, there are very few women of that are formally recognised as cryptanalysts working at the same level as their male peers.

Mundy dismisses this as “…there also were thousands of women, many from upper-class families, who operated ‘bombe’ machines…” almost as if she’s buying into a boorish and misogynist narrative dismissing the code breaking capabilities as “some women” and tossing out the rest as a bunch of wealthy knob turners. Who does she think went to Oxford and Cambridge? Meanwhile Bletchley historians tell us about the women “codebreaking successes and contribution to the Battle of Cape Matapan, which put the Italian Navy out of World War 2”.

Mundy also gives credit only to the British operation for breaking Enigma, which is patently false history as I’ve written about before.

So, third, she mentions the US resurrected its code breaking from WWI. This punches a hole through her theory that information security origin was 1940s. Not only does a link to WWI indicate the field is older, it begs the question why she would even suggest such a late start date when there are also sources linking it to the US Civil War and earlier?

Enigma cracking started at the end of WWI and the Polish put their top mathematicians on it because they recognized relevance to the threat from a neighboring state, as history tends to repeat. The British focused on Spanish and Italian code-breaking in the 1930s because Franco and Mussolini were more interesting to them as threats to their domain. Mundy hints at this on page 14 when she admits information security students of the 1940s relied on earlier work:

The instructors would be given a few texts to jump-start their own education, including a work called Treatise on Cryptography, another titled Notes on Communications Security, and a pamphlet called The Contributions of the Cryptographic Bureaus in the World War–meaning World War I…

Anyway, aside from these three fundamental mistakes, a core piece missing from her analysis is that the US fell behind on code breaking and had to catch up because of isolationist tendencies as well as white supremacists in the US pressuring their country to remain neutral or even assist with Nazi aggression. Mundy mentions this briefly on page 13 and sadly doesn’t make the political connections.

[Captain, U.S.N. Laurance Frye] Safford elaborated on the qualifications they wanted by spelling out the kind of young women the Navy did not want. “We can have here no fifth columnists, nor those whose true allegiance may be to Moscow,” Safford wrote. “Pacifists would be inappropriate. Equally so would be those from persecuted nations or races–Czechoslovakians, Poles, Jews, who might feel an inward compulsion to involve the United States in war.”

Again Mundy is citing information security field expertise that existed long before the 1940s. And you have to really take in the irony of Safford’s antisemitism and political position here given that it comes after Polish cryptographers already had cracked Enigma and were the foundation to Bletchley Park focus on German cryptography. Further to the point, as the NSA history of Safford claims, he saw himself as the person who actively tried to involve the United States in war.

He recognized the signs of war that appeared in the diplomatic traffic, and tried to get a warning message to Pearl Harbor several days before the attack, but was rebuffed by Admiral Noyes, the director of Naval communication.

Several days. A bit late Safford. Imagine how many years of warning he might have had if he hadn’t demanded “persecuted nations or races” be excluded from information security roles.

America was behind because it didn’t perceive itself a persecuted nation, it failed to expend resources on information security in a manner commensurate with the risk. There were pro-Nazi forces actively attempting to undermine or sabotage the US feedback loops by pushing a head-in-sand “neutrality” position all the way to Pearl Harbor.

By the time these “America First” agents of Nazi Germany were exposed and incarcerated, women simply offered a more available home front resource compared with men abruptly being sent to fight in field (same as in Britain, France, Poland etc). Of course women were as good if not better than the men. It was procrastination and the pre-war political position to allow aid Nazi Germany (GM, Standard Oil, etc) that created a desperate catch-up situation, opening the doors to women.

Information security formative days started long before the 1940s, but just like today the absence of feeling threatened led decision makers to under-invest in those who studied it, let alone those who practiced professionally without degrees or certifications. The question really is whether women would have been pulled into information security anyway, even if the US had not been under investing in the years prior. British history tells us definitively yes, as 75% of Bletchley staff were women.

Does that percentage sound high? Mundy herself says on page 20 that 70% of US Army and 80% of US Navy information security staff were women. Fortunately she doesn’t discount the Americans as wealthy knob-turners, and instead glorifies every American woman’s role as essential to the war effort. Mundy writes well, but her history analysis is lacking and sometimes even self-defeating.